I have to agree with Jamie's 1st response- the only real way to control this is to block outbound web traffic at the gateway. Any other attempt would be futile for a smart bunch of computer science students whose only goal is to hack your network when they are bored in computer lab. I do like Darren's SRP recommendation to restrict cscript and wscript but I wonder if that would come back and bite you later Of course blocking port 80 at the gateway can affect every machine on that network unless your student machines are segmented on a separate network. Also- the port 80 restriction could also require additional configuration in every application that currently goes out to the internet for updates, license checking and getting data from Internet resources- without using proxy settings. Do your students have admin rights and are any other browsers installed on the workstations in question? Omar From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: Friday, June 08, 2007 6:25 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: vb scripts running from USB keys What about setting the proxy settings as per-machine rather than per-user? That should prevent them from changing the keys under HKLM, assuming of course that they don't have local admin rights on the system. The only catch is that you can't configure the per-computer proxy settings directly through Group Policy. You either have to write a custom ADM for them or import a .reg file containing the settings at computer startup. See this article for more details. http://www.jsifaq.com/SF/Tips/Tip.aspx?id=10097 Blocking direct port 80 outbound connections is the way most people do it, but this should work for you. //signed// Jamie R Nelson Systems Engineer Ingenium Corporation ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Thursday, June 07, 2007 10:04 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: vb scripts running from USB keys You might be able to restrict this using Software Restriction Policy (assuming your clients are XP and above). I'm not sure if you use other "legitimate" .vbs scripts in your environment, but you could use SRP to block execution of cscript.exe and wscript.exe and that would prevent all WSH scripts from running. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Christine Whitewood Sent: Thursday, June 07, 2007 5:09 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: vb scripts running from USB keys Yes you are correct, I was hoping there would be a way with GPO Chris Whitewood Network Administrator St Francis Xavier College Beaconsfield/Berwick ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: Friday, 8 June 2007 10:02 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: vb scripts running from USB keys I assume you mean that they are getting to websites they are not supposed to by turning off the proxy settings in their browsers? If that is the case then you should block port 80 traffic outbound (only allowing your proxy server out) on your external router so that users can't get to the internet unless it is through your web proxy. That or run a transparent proxy service. If I am incorrect, please explain in more detail. //signed// Jamie R Nelson Systems Engineer Ingenium Corporation ________________________________ From: Christine Whitewood Sent: Thu 6/7/2007 5:37 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] vb scripts running from USB keys Can anyone tell me how to stop this happening? Our students are running scripts that get them round our proxy. Regards Chris Whitewood Network Administrator St Francis Xavier College Beaconsfield/Berwick